Meimo ID

Documentation

Continue with Meimo — API reference

Quick start

  1. Register your organization and complete business verification.
  2. Create an application from your dashboard — you'll receive a client_id and client_secret.
  3. Redirect users to app.meimoid.com/oauth-authorize with your parameters.
  4. Exchange the returned code for tokens at POST /v1/oauth/token.

Authorization flow

Standard OAuth 2.0 authorization code grant with PKCE (S256 only — plain is not accepted).

# 1. Redirect the user's browser
GET https://app.meimoid.com/oauth-authorize
  ?response_type=code&client_id=...&redirect_uri=...
  &scope=identity+profile+phone&state=...
  &code_challenge=...&code_challenge_method=S256

# 2. User approves. Browser is redirected back:
GET https://yourapp.com/callback?code=AUTH_CODE&state=...

# 3. Your backend exchanges the code (server-to-server):
POST https://api.meimoid.com/v1/oauth/token
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&code=AUTH_CODE
&redirect_uri=https://yourapp.com/callback
&client_id=...&client_secret=...
&code_verifier=...

# 4. Fetch claims:
GET https://api.meimoid.com/v1/oauth/userinfo
Authorization: Bearer ACCESS_TOKEN

Endpoints

GET/v1/oauth/clients/:clientId

Public application info (name, organization, requested scopes) — used to render the consent screen before the user does anything.

Auth: None

POST/v1/oauth/token

Server-to-server code/refresh-token exchange. Called by your backend, never the browser.

Auth: client_id + client_secret

GET/v1/oauth/userinfo

Returns the claims granted at consent. Filtered strictly by the scopes actually approved — never more.

Auth: Bearer access_token

GET/v1/oauth/picture

The URL returned in userinfo's picture claim — the user's live-captured profile photo, as bytes.

Auth: Bearer access_token

Error codes

CodeMeaning
invalid_requestA required parameter is missing or malformed.
access_deniedThe user declined consent.
invalid_grantThe authorization code is invalid, expired, or already used — codes are single-use.
invalid_clientclient_id/client_secret don't match a registered, non-revoked application.